diff --git a/bin/tests/system/keymgr2kasp/ns3/named.conf.in b/bin/tests/system/keymgr2kasp/ns3/named.conf.in index d6fa2e755c..6e8e9df541 100644 --- a/bin/tests/system/keymgr2kasp/ns3/named.conf.in +++ b/bin/tests/system/keymgr2kasp/ns3/named.conf.in @@ -51,6 +51,14 @@ zone "csk.kasp" { dnssec-dnskey-kskonly no; }; +zone "csk-nosep.kasp" { + type primary; + file "csk-nosep.kasp.db"; + auto-dnssec maintain; + allow-update { any; }; + dnssec-dnskey-kskonly no; +}; + zone "rumoured.kasp" { type primary; file "rumoured.kasp.db"; diff --git a/bin/tests/system/keymgr2kasp/ns3/named2.conf.in b/bin/tests/system/keymgr2kasp/ns3/named2.conf.in index 770345055a..c5384b9270 100644 --- a/bin/tests/system/keymgr2kasp/ns3/named2.conf.in +++ b/bin/tests/system/keymgr2kasp/ns3/named2.conf.in @@ -49,6 +49,13 @@ zone "csk.kasp" { dnssec-policy "default"; }; +zone "csk-nosep.kasp" { + type primary; + file "csk-nosep.kasp.db"; + allow-update { any; }; + dnssec-policy "default"; +}; + zone "rumoured.kasp" { type primary; file "rumoured.kasp.db"; diff --git a/bin/tests/system/keymgr2kasp/ns3/setup.sh b/bin/tests/system/keymgr2kasp/ns3/setup.sh index 4f2e670ddf..0f54e5172b 100644 --- a/bin/tests/system/keymgr2kasp/ns3/setup.sh +++ b/bin/tests/system/keymgr2kasp/ns3/setup.sh @@ -39,7 +39,7 @@ private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >> "$infile" private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >> "$infile" $SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 -# Set up a Single-Type Signing Scheme zone with auto-dnssec maintain to +# Set up Single-Type Signing Scheme zones with auto-dnssec maintain to # migrate to dnssec-policy. This is a zone that has 'update-check-ksk no;' # configured, meaning the zone is signed with a single CSK. setup csk.kasp @@ -50,6 +50,14 @@ cat template.db.in "${CSK}.key" > "$infile" private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >> "$infile" $SIGNER -S -z -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 +setup csk-nosep.kasp +echo "$zone" >> zones +csktimes="-P now -A now -P sync now" +CSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 $csktimes $zone 2> keygen.out.$zone.1) +cat template.db.in "${CSK}.key" > "$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >> "$infile" +$SIGNER -S -z -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 + # Set up a zone with auto-dnssec maintain to migrate to dnssec-policy, but this # time the existing keys do not match the policy. The existing keys are # RSASHA1 keys, and will be migrated to a dnssec-policy that dictates diff --git a/bin/tests/system/keymgr2kasp/tests.sh b/bin/tests/system/keymgr2kasp/tests.sh index 7bb02bc47e..f8861edbab 100644 --- a/bin/tests/system/keymgr2kasp/tests.sh +++ b/bin/tests/system/keymgr2kasp/tests.sh @@ -152,7 +152,9 @@ set_server "ns3" "10.53.0.3" key_clear "KEY1" key_set "KEY1" "LEGACY" "yes" -set_keyrole "KEY1" "csk" +set_keyrole "KEY1" "ksk" +# This key also acts as a ZSK. +key_set "KEY1" "ZSK" "yes" set_keylifetime "KEY1" "none" set_keyalgorithm "KEY1" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS" "$DEFAULT_BITS" set_keysigning "KEY1" "yes" @@ -184,6 +186,49 @@ dnssec_verify # Remember legacy key tags. _migrate_csk=$(key_get KEY1 ID) +# +# Testing a good migration (CSK, no SEP). +# +set_zone "csk-nosep.kasp" +set_policy "none" "1" "7200" +set_server "ns3" "10.53.0.3" + +key_clear "KEY1" +key_set "KEY1" "LEGACY" "yes" +set_keyrole "KEY1" "zsk" +# Despite the missing SEP bit, this key also acts as a KSK. +key_set "KEY1" "KSK" "yes" +set_keylifetime "KEY1" "none" +set_keyalgorithm "KEY1" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS" "$DEFAULT_BITS" +set_keysigning "KEY1" "yes" +set_zonesigning "KEY1" "yes" + +set_keystate "KEY1" "GOAL" "omnipresent" +set_keystate "KEY1" "STATE_DNSKEY" "rumoured" +set_keystate "KEY1" "STATE_KRRSIG" "rumoured" +set_keystate "KEY1" "STATE_ZRRSIG" "rumoured" +set_keystate "KEY1" "STATE_DS" "rumoured" + +key_clear "KEY2" +key_clear "KEY3" +key_clear "KEY4" + +# Make sure the zone is signed with legacy key. +check_keys +check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" +# The key is immediately published and activated. +_created=$(key_get KEY1 CREATED) +set_keytime "KEY1" "PUBLISHED" "${_created}" +set_keytime "KEY1" "SYNCPUBLISH" "${_created}" +set_keytime "KEY1" "ACTIVE" "${_created}" + +check_keytimes +check_apex +check_subdomain +dnssec_verify +# Remember legacy key tags. +_migrate_csk_nosep=$(key_get KEY1 ID) + # # Testing key states derived from key timing metadata (rumoured). # @@ -461,6 +506,57 @@ ret=0 test "$ret" -eq 0 || echo_i "failed" status=$((status+ret)) +# +# Testing a good migration (CSK, no SEP). +# +set_zone "csk-nosep.kasp" +set_policy "default" "1" "7200" +set_server "ns3" "10.53.0.3" + +key_clear "KEY1" +key_set "KEY1" "LEGACY" "no" +set_keyrole "KEY1" "csk" +key_set "KEY1" "FLAGS" "256" +set_keylifetime "KEY1" "0" +set_keyalgorithm "KEY1" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS" "$DEFAULT_BITS" +set_keysigning "KEY1" "yes" +set_zonesigning "KEY1" "yes" + +set_keystate "KEY1" "GOAL" "omnipresent" +set_keystate "KEY1" "STATE_DNSKEY" "rumoured" +set_keystate "KEY1" "STATE_KRRSIG" "rumoured" +set_keystate "KEY1" "STATE_ZRRSIG" "rumoured" +set_keystate "KEY1" "STATE_DS" "rumoured" + +key_clear "KEY2" +key_clear "KEY3" +key_clear "KEY4" + +# Various signing policy checks. +check_keys +wait_for_done_signing +check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" + +# The key was immediately published and activated. +_created=$(key_get KEY1 CREATED) +set_keytime "KEY1" "PUBLISHED" "${_created}" +set_keytime "KEY1" "SYNCPUBLISH" "${_created}" +set_keytime "KEY1" "ACTIVE" "${_created}" + +# Continue signing policy checks. +check_keytimes +check_apex +check_subdomain +dnssec_verify + +# Check key tags, should be the same. +n=$((n+1)) +echo_i "check that of zone ${ZONE} migration to dnssec-policy uses the same key ($n)" +ret=0 +[ $_migrate_csk_nosep = $(key_get KEY1 ID) ] || log_error "mismatch csk tag" +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + # # Test migration to dnssec-policy, existing keys do not match key algorithm. #